Bottom line: Three popular WordPress plugins were abused to create attacker-controlled admin accounts and install backdoor plugins, deliberately targeting administrators as the attack vector.
Trusted JavaScript files in the WordPress plugins PushEngage, OptinMonster and TrustPulse were manipulated to automatically install admin accounts and hidden plugins when loaded by administratively logged-in users.
Unknown attackers have compromised JavaScript files in at least three popular WordPress plugins. The affected plugins are PushEngage, OptinMonster and TrustPulse. The manipulated scripts executed an exploit on administrators who were logged in at the time the file was loaded.
The attack mechanism works in a targeted manner: when an administrator loads the manipulated JavaScript file, a new admin account under the attacker’s control is automatically created. In parallel, a hidden plugin is installed, which gives the attacker persistent access to the affected website. Ordinary site visitors do not activate this code.
For CISOs, this means: the attack chain demonstrates how seemingly secure supply-chain components can serve as an entry point. Administrators are the target group — not the broad visitor base — which brings the attackers to the privileged level of the target installation. Monitoring for unexpected admin accounts and plugin installations is essential for detecting such incidents.
Source: thehackernews.com · Published 15 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.